Building a smart and effective information security infrastructure is quite a challenging task many companies cannot embrace to the full extent, which results in gaps in corporate security. You have installed an antivirus – and an employee has opened a link in a phishing email. You have set up a firewall – and a disloyal employee has emailed your Business Plan to competitors. You have implemented a DLP system – and a DDoS attack has shut your web services down. Because of the diversity of threats, companies need a comprehensive approach to the protection of information resources. Falcongaze Analytics Center compiled a list of preventive measures that will help to minimize risks, prevent leaks of confidential information and ensure the safety of business.

 Document Management

A well-organized system of information storage and document management is an important, though often overlooked component of building information security infrastructure. Companies often do not have firm knowledge of where exactly their sensitive information resides on the network. The main objective in this situation is to gain knowledge about the location of sensitive information, its structure and access rights. It is pointless to try to protect a vague set of documents – all data should be classified and structured. These tasks are covered by various enterprise project management and DMS products. In cases, when operational convenience involves remote workforce, access to confidential data and corporate resources can be established over the Internet. The volumes of data in these situations should be minimized and the employees should connect to the resources over secure channels.

 Access Rights Management

Every company is subdivided into divisions or departments, which have various levels of responsibility and competence. The bigger a company, the higher staff diversity, the more complicated corporate structure. Growth often comes with new divisions, remote offices and regional branches. It is quite obvious that each user group requires its own level of access rights, especially when dealing with confidential information. Bank accounts info and contract details are within the Accounting Department professional competence, and IT division has nothing to do with this data for sure. Accounting officers should be definitely kept away from servers and development resources. To ensure such an approach there is diverse identity management functionality available, and most of the corporate systems allow creating group policies.

Some information security products, like SecureTower by Falcongaze, provide division managers with access to information on their staff only; information security officers have access to security incidents only and cannot browse through user activities; information on financial documents, transmitted by accounting officers, can be available to the CEO solely. All components of corporate infrastructure should be tuned in a similar way: configuration of various prohibition levels on firewalls, access to documents can be easily configured in all major project management solutions, physical access is covered by access control and management systems.